From owner-svn-src-all@freebsd.org Sat Jan 26 20:43:29 2019 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7CAA214ADFFF; Sat, 26 Jan 2019 20:43:29 +0000 (UTC) (envelope-from se@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 23FD76CD73; Sat, 26 Jan 2019 20:43:29 +0000 (UTC) (envelope-from se@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 16F7925558; Sat, 26 Jan 2019 20:43:29 +0000 (UTC) (envelope-from se@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x0QKhSKs081626; Sat, 26 Jan 2019 20:43:28 GMT (envelope-from se@FreeBSD.org) Received: (from se@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x0QKhS2S081625; Sat, 26 Jan 2019 20:43:28 GMT (envelope-from se@FreeBSD.org) Message-Id: <201901262043.x0QKhS2S081625@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: se set sender to se@FreeBSD.org using -f From: Stefan Esser Date: Sat, 26 Jan 2019 20:43:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r343479 - head/libexec/getty X-SVN-Group: head X-SVN-Commit-Author: se X-SVN-Commit-Paths: head/libexec/getty X-SVN-Commit-Revision: 343479 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 23FD76CD73 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.95 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; NEURAL_HAM_SHORT(-0.96)[-0.956,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US] X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jan 2019 20:43:29 -0000 Author: se Date: Sat Jan 26 20:43:28 2019 New Revision: 343479 URL: https://svnweb.freebsd.org/changeset/base/343479 Log: Fix potential buffer overflow and undefined behavior. The buffer allocated in read_chat() could be 1 element too short, if the chatstr parameter passed in is 1 or 3 charachters long (e.g. "a" or "a b"). The allocation of the pointer array does not account for the terminating NULL pointer in that case. Overlapping source and destination strings are undefined in strcpy(). Instead of moving a string to the left by one character just increment the char pointer before it is assigned to the results array. MFC after: 2 weeks Modified: head/libexec/getty/chat.c Modified: head/libexec/getty/chat.c ============================================================================== --- head/libexec/getty/chat.c Sat Jan 26 18:23:19 2019 (r343478) +++ head/libexec/getty/chat.c Sat Jan 26 20:43:28 2019 (r343479) @@ -141,7 +141,7 @@ read_chat(char **chatstr) int l; if ((l=strlen(str)) > 0 && (tmp=malloc(l + 1)) != NULL && - (res=malloc((l / 2 + 1) * sizeof(char *))) != NULL) { + (res=malloc(((l + 1) / 2 + 1) * sizeof(char *))) != NULL) { static char ws[] = " \t"; char * p; @@ -216,7 +216,7 @@ read_chat(char **chatstr) q = strrchr(p+1, *p); if (q != NULL && *q == *p && q[1] == '\0') { *q = '\0'; - strcpy(p, p+1); + p++; } }